New data protection regulation in Nevada, USA

Nevada Senate Bill 220 – A Mini-CCPA

California’s passing of the Consumer Privacy Act 2018 (CCPA) has attracted a lot of attention. The GDPR-inspired legislation sparked a national outburst of data protection legislation, notably the New York Privacy Act (SB 224) and the Washington Privacy Act (SB 5367). Whilst a lot of these pursuits came to an end through expiration of this year’s legislative session or are still held up in several Committees, the Nevada State legislature passed SB 220 “An Act Relating to Internet Privacy”. It will become effective on 1^st October 2019, three months earlier than the CCPA.

What’s new?

The Act Relating to Internet Privacy is modelled after the section of the CCPA that allows consumers to opt-out of the sale of their personal information. This choice of the consumer relates not only to information already collected by operators but also covers information which will be collected in the future. Operators must honour a consumer’s request if they can reasonably verify the authenticity of the request as well as the identity of the consumer using commercially reasonable means.

What’s covered?

• “Consumer”: “Consumer” means a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.
• “Information”: The Act covers items of personally identifiable information about a consumer collected by the operator through a website or an online service, which is maintained by the operator in an accessible form. It includes an individual’s first and last name, their home address, their electronic email address, their telephone or social security number.
• “Sale”: “Sale” means the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are certain exceptions to the term, such as disclosing covered information to a person who processes the covered information on behalf of the operator.

Is Nevada’s Bill a copy of the CCPA?

Even though NSB 220 is modelled after the CCPA, there are some key differences to keep in mind:

First and foremost, NSB 220 does not include rights of access, information, portability, deletion, or non-discrimination. Unlike the CCPA, Nevada’s Act comes with a range of possibilities for consumers to exercise their right and does not require a specific ‘Do Not Sell My Personal Information’-link on the operator’s website. Operators have to provide one of the following mechanisms in order for consumers to submit their opt-out request: e-mail address, toll-free telephone number or an internet website. NSB 220 also requires an opt-out of the sale regardless of the consumer’s age.

Could your business be affected?

Nevada’s Act applies to operators of internet websites and online services. Your business will qualify if it fulfils, cumulatively, the following three criteria.

• You own or operate an internet website or online service for commercial purposes;
• You collect and maintain information (in the meaning of NSB 220) from consumers who reside in Nevada and use or visit Your internet website or online service;
• You purposefully direct Your activities towards Nevada, consummate some transaction with Nevada or one of its residents, purposefully avail Yourself of the privilege of conducting activities in this State or otherwise engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirement of the US Constitution.

However, NSB 220 provides for certain exceptions. For instance, manufacturers of motor vehicles that collect personal information retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle.

As long as foreign operators (e.g. EU companies) fulfil the above criteria, especially for their activities to constitute sufficient nexus with Nevada, NSB 220 will be applicable to them.

Risks of non-compliance

Commencing this fall, affected businesses that do not comply with NSB 220 face the risk of a temporary or permanent injunctions and civil penalties up to $5,000 for each violation (both authorized by the Nevada Attorney General). The section creating a private right of action for consumers, which was originally intended, was eliminated during the legislative process.

What’s next?

After California and Maine (LD 946), the successful passage of NSB 220 might signal the development of a patchwork of more than fifty different data privacy laws. Yet, there is significant pressure created for the federal government by consumers, companies and State legislatures, which might make a unified data privacy standard for the whole country more realistic.